diff options
3 files changed, 120 insertions, 16 deletions
diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c index 3975009ff..f91d8d8f5 100644 --- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c @@ -16,6 +16,8 @@ #define _GNU_SOURCE #include <stdio.h> +/* for isdigit */ +#include <ctype.h> #include "imc_attestation_process.h" @@ -41,10 +43,61 @@ #include <tcg/tcg_pts_attr_unix_file_meta.h> #include <debug.h> +#include <utils/lexparser.h> #define DEFAULT_NONCE_LEN 20 /** + * Convert string to u_int8_t + * code taken from http://www.codeguru.com/forum/showthread.php?t=316299 + */ +static u_int8_t* string_to_bytearray(char *str_value) +{ + u_int32_t i; + u_int8_t *ret; + + ret = malloc(strlen(str_value)/2); + for (i = 0; i < strlen(str_value)/2; i++) + { + char c1, c2; + u_int8_t d1, d2; + + c1 = str_value[i*2]; + c2 = str_value[i*2 + 1]; + + if (isdigit(c1)) + { + d1 = c1 - '0'; + } + else if (c1 >= 'A' && c1 <= 'F') + { + d1 = c1 - 'A' + 10; + } + else if (c1 >= 'a' && c1 <= 'f') + { + d1 = c1 - 'a' + 10; + } + + if (isdigit(c2)) + { + d2 = c2 - '0'; + } + else if (c2 >= 'A' && c2 <= 'F') + { + d2 = c2 - 'A' + 10; + } + else if (c2 >= 'a' && c2 <= 'f') + { + d2 = c2 - 'a' + 10; + } + /* save value of two characters in one byte */ + ret[i] = d1*16 + d2; + } + + return ret; +} + +/** * Set parameters of Simple Component Evidence */ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name, @@ -55,7 +108,7 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name, time_t measurement_time_t; struct tm *time_now; char *utc_time; - + params.name = name; params.pcr_info_included = TRUE; params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID; @@ -80,7 +133,7 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name, { time_now = localtime(&measurement_time_t); if (asprintf(&utc_time, - "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ", + "%d-%.2d-%.2dT%.2d:%.2d:%.2dZ", time_now->tm_year + 1900, time_now->tm_mon + 1, time_now->tm_mday, @@ -95,20 +148,68 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name, params.measurement_time = chunk_clone(params.measurement_time); free(utc_time); } - params.policy_uri = chunk_empty; - params.measurement = chunk_empty; - - params.pcr_before = chunk_alloc(PCR_LEN); - memset(params.pcr_before.ptr, 0, PCR_LEN); - /* Set extended PCR, which varies from component to component */ - if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY) + params.policy_uri = chunk_empty; + + /* Provisional/temporal implementation for trsutedGRUB measurements */ + if (params.name != PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY && + params.name != PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) { - params.extended_pcr = PCR_TBOOT_POLICY; + params.measurement = chunk_alloc(HASH_SIZE_SHA1); + memset(params.measurement.ptr, 0, HASH_SIZE_SHA1); + params.pcr_before = chunk_alloc(PCR_LEN); + memset(params.pcr_before.ptr, 0, PCR_LEN); } - else if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) + + /* Set parameters which varies from component to component */ + if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY || + params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) { - params.extended_pcr = PCR_TBOOT_MLE; + char *measurement_str, *pcr_before_str, *pcr_after_str; + u_int8_t *measurement, *pcr_before, *pcr_after; + + if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY) + { + params.extended_pcr = PCR_TBOOT_POLICY; + measurement_str = lib->settings->get_str(lib->settings, + "libimcv.plugins.imc-attestation.pcr17_meas", NULL); + pcr_before_str = lib->settings->get_str(lib->settings, + "libimcv.plugins.imc-attestation.pcr17_before", NULL); + pcr_after_str = lib->settings->get_str(lib->settings, + "libimcv.plugins.imc-attestation.pcr17_after", NULL); + } + else + { + params.extended_pcr = PCR_TBOOT_MLE; + measurement_str = lib->settings->get_str(lib->settings, + "libimcv.plugins.imc-attestation.pcr18_meas", NULL); + pcr_before_str = lib->settings->get_str(lib->settings, + "libimcv.plugins.imc-attestation.pcr18_before", NULL); + pcr_after_str = lib->settings->get_str(lib->settings, + "libimcv.plugins.imc-attestation.pcr18_after", NULL); + } + + if (!measurement_str || !pcr_before_str || !pcr_after_str) + { + DBG1(DBG_IMC, "tboot: configure measurement, before and after value" + " for PCR%d", params.extended_pcr); + return FALSE; + } + + params.measurement = chunk_alloc(HASH_SIZE_SHA1); + measurement = string_to_bytearray(measurement_str); + memcpy(params.measurement.ptr, measurement, HASH_SIZE_SHA1); + free(measurement); + + params.pcr_before = chunk_alloc(PCR_LEN); + pcr_before = string_to_bytearray(pcr_before_str); + memcpy(params.pcr_before.ptr, pcr_before, PCR_LEN); + free(pcr_before); + + params.pcr_after = chunk_alloc(PCR_LEN); + pcr_after = string_to_bytearray(pcr_after_str); + memcpy(params.pcr_after.ptr, pcr_after, PCR_LEN); + free(pcr_after); } else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1) { @@ -414,7 +515,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, return FALSE; } - if (!pts->read_pcr(pts, params.extended_pcr, ¶ms.pcr_after)) + /* Get PCR after value from log when TBOOT is measuring entity */ + if (!(name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY || + name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) && + !pts->read_pcr(pts, params.extended_pcr, ¶ms.pcr_after)) { DBG1(DBG_IMC, "error occured while reading PCR: %d", params.extended_pcr); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c index ed5c359b7..570bc8652 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c @@ -222,14 +222,14 @@ bool imv_attestation_build(pa_tnc_msg_t *msg, qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED; /* Send Request Functional Component Evidence attribute */ - name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1; + name = PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY; attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth, PEN_ITA, qualifier, name); attr->set_noskip_flag(attr, TRUE); msg->add_attribute(msg, attr); /* Send Request Functional Component Evidence attribute */ - name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2; + name = PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE; attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth, PEN_ITA, qualifier, name); attr->set_noskip_flag(attr, TRUE); diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c index 58d9e922b..e4969c14c 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c @@ -609,7 +609,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(tcg_pts_attr_simple_comp_evi .policy_uri = chunk_clone(params.policy_uri), .pcr_before = params.pcr_before, .pcr_after = params.pcr_after, - .measurement = chunk_clone(params.measurement), + .measurement = params.measurement, ); return &this->public.pa_tnc_attribute; |